Abstract
User-defined tokens—both fungible ERC-20 and non-fungible ERC-721 tokens—are central to the majority of contracts deployed on Ethereum. User-defined tokens are non-native on Ethereum; i.e., they are not directly supported by the ledger, but require custom code. This makes them unnecessarily inefficient, expensive, and complex.
The Extended UTXO Model (EUTXO) [5] has been introduced as a generalisation of Bitcoin-style UTXO ledgers, allowing support of more expressive smart contracts, approaching the functionality available to contracts on Ethereum. Specifically, a bisimulation argument established a formal relationship between the EUTXO ledger and a general form of state machines. Nevertheless, transaction outputs in the EUTXO model lock integral quantities of a single native cryptocurrency only, just like Bitcoin.
In this paper, we study a generalisation of the EUTXO ledger model with native user-defined tokens. Following the approach proposed in a companion paper [4] for the simpler case of plain Bitcoin-style UTXO ledgers, we generalise transaction outputs to lock not merely coins of a single cryptocurrency, but entire token bundles, including custom tokens whose forging is controlled by forging policy scripts. We show that this leads to a rich ledger model that supports a broad range of interesting use cases.
Our main technical contribution is a formalisation of the multi-asset EUTXO ledger in Agda, which we use to establish that the ledger with custom tokens is strictly more expressive than the original EUTXO ledger. In particular, we state and prove a transfer result for inductive and temporal properties from state machines to the multi-asset EUTXO ledger, which was out of scope for the single-currency EUTXO ledger. In practical terms, the resulting system is the basis for the smart contract system of the Cardano blockchain.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
- 3.
We denote the hash of some data d as \(d^\#\).
References
Atzei, N., Bartoletti, M., Lande, S., Yoshida, N., Zunino, R.: Developing secure Bitcoin contracts with BitML. In: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 1124–1128 (2019)
Baier, C., Katoen, J.: Principles of Model Checking. MIT Press, Cambridge (2008)
Bartoletti, M., Zunino, R.: BitML: a calculus for Bitcoin smart contracts. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 83–100. ACM (2018)
Chakravarty, M.M.T., et al.: UTXO\(_{\rm ma}\): UTXO with multi-asset support. In: Margaria, T., Steffen, B. (eds.) ISoLA 2020. LNCS, vol. 12478, pp. 112–130. Springer, Heidelberg (2020). https://omelkonian.github.io/data/publications/utxoma.pdf
Chakravarty, M.M.T., Chapman, J., MacKenzie, K., Melkonian, O., Peyton Jones, M., Wadler, P.: The extended UTXO model. In: Bernhard, M., et al. (eds.) FC 2020. LNCS, vol. 12063, pp. 525–539. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-54455-3_37
Chakravarty, M.M.T., Coretti, S., Fitzi, M., Gazi, P., Kant, P., Kiayias, A., Russell, A.: Hydra: Fast isomorphic state channels. Technical report, Cryptology ePrint Archive, Report 2020/299 (2020). https://eprint.iacr.org/2020/299
Entriken, W., Shirley, D., Evans, J., Sachs, N.: ERC-721 non-fungible token standard. Ethereum Foundation (2018). https://eips.ethereum.org/EIPS/eip-721
Kröger, F., Merz, S.: Temporal Logic and State Systems. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68635-4
Maker Team: The Dai stablecoin system (2017). https://makerdao.com/whitepaper/DaiDec17WP.pdf
Manna, Z., Pnueli, A.: The Temporal Logic of Reactive and Concurrent Systems - Specification. Springer, Heidelberg (1992). https://doi.org/10.1007/978-1-4612-0931-7
Mavridou, A., Laszka, A., Stachtiari, E., Dubey, A.: VeriSolid: correct-by-design smart contracts for ethereum. In: Goldberg, I., Moore, T. (eds.) FC 2019. LNCS, vol. 11598, pp. 446–465. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32101-7_27
Milner, R.: Communicating and Mobile Systems: the \(\pi \)-Calculus. Cambridge University Press, Cambridge (1999)
Nakata, K., Uustalu, T., Bezem, M.: A proof pearl with the fan theorem and bar induction. In: Yang, H. (ed.) APLAS 2011. LNCS, vol. 7078, pp. 353–368. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25318-8_26
Sergey, I., Kumar, A., Hobor, A.: Scilla: a smart contract intermediate-level language. arXiv preprint arXiv:1801.00687 (2018)
Sergey, I., Nagaraj, V., Johannsen, J., Kumar, A., Trunov, A., Hao, K.C.G.: Safer smart contract programming with Scilla. Proc. ACM Program. Lang. 3(OOPSLA), 185 (2019)
Stellar Development Foundation: Stellar Development Guides (2020). https://solidity.readthedocs.io/
Vogelsteller, F., Buterin, V.: ERC-20 token standard. Ethereum Foundation (Stiftung Ethereum), Zug, Switzerland (2015). https://eips.ethereum.org/EIPS/eip-20
Waves Team: Waves blockchain documentation (2020). https://docs.wavesprotocol.org/
Acknowledgments
We thank Gabriele Keller for comments on an earlier version of this paper.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A Complete formal definition of EUTXO\(_{\text {ma}}\)
A Complete formal definition of EUTXO\(_{\text {ma}}\)
1.1 A.1 Finitely-Supported Functions
If K is any type and M is a monoid with identity element 0, then a function \(f: K \rightarrow M\) is finitely supported if \(f(k) \ne 0\) for only finitely many \(k \in K\). More precisely, for \(f: K \rightarrow M\) we define the support of f to be \(\mathsf {supp}(f) = \{k \in K : f(k) \ne 0\}\) and \(\textsf {FinSup}[K,M] = \{f : K \rightarrow M : \left| \mathsf {supp}(f)\right| < \infty \}\).
If \((M,+,0)\) is a monoid then \(\textsf {FinSup}[K,M]\) also becomes a monoid if we define addition pointwise (\((f+g)(k) = f(k) + g(k)\)), with the identity element being the zero map. Furthermore, if M is an abelian group then \(\textsf {FinSup}[K,M]\) is also an abelian group under this construction, with \((-f)(k) = -f(k)\). Similarly, if M is partially ordered, then so is \(\textsf {FinSup}[K,M]\) with comparison defined pointwise: \(f \le g\) if and only if \(f(k) \le g(k)\) for all \(k \in K\).
It follows that if M is a (partially ordered) monoid or abelian group then so is \(\textsf {FinSup}[K,\textsf {FinSup}[L,M]]\) for any two sets of keys K and L. We will make use of this fact in the validation rules presented later (see Fig. 5).
Finitely-supported functions are easily implemented as finite maps, with a failed map lookup corresponding to returning 0.
1.2 A.2 Ledger Types
The formal definition of the EUTXO\(_{\text {ma}}\) model integrates token bundles and forge fields from the plain UTXO\(_{\text {ma}}\) model [4] into the single currency EUTXO model definition, while adapting forging policy scripts to enjoy the full expressiveness of validators in EUTXO (rather than the limited domain-specific language of UTXO\(_{\text {ma}}\)). Figures 2 and 3 define the ledger types for EUTXO\(_{\text {ma}}\).
1.3 A.3 Transaction Validity
Finally, we provide the transaction validity rules, which among other things state how forging policy scripts affect transaction validity. To this end, we replace the notion of an integral \(\textsf {Quantity}\) for values by the token bundles discussed in Sect. 2.2 and represented by values of the type \(\textsf {Quantities}\).
As indicated in Sect. 2.1, validator scripts get a context argument, which includes the validated transaction as well as the outputs that it consumed, in EUTXO. For EUTXO\(_{\text {ma}}\), we need two different such context types. We have \(\textsf {ValidatorContext}\) for validators and \(\textsf {PolicyContext}\) for forging policies. The difference is that in \(\textsf {ValidatorContext}\) we indicate the input of the validated transaction that consumes the output locked by the executed validator, whereas for forging policies, we provide the policy script hash. The latter makes it easy for the policy script to look up the component of the transaction’s forging field that it is controlling.
The validity rules in Fig. 5 define what it means for a transaction t to be valid for a valid ledger l during the tick \(\mathsf {currentTick}\). (They make use of the auxiliary functions in Fig. 4.) Of these rules, Rules 1, 2, 3, 4, and 5 are common to the two systems (EUTXO and UTXO\(_{\text {ma}}\)) that we are combing here; Rules 6 and 7 are similar in both systems, but we go with the more expressive ones from EUTXO. The crucial changes are to the construction and passing of the context types mentioned above, which appear in Rules 6 and 10. The later is the main point as it is responsible for execution of forging policy scripts.
A ledger l is valid if either l is empty or l is of the form \(t::l^{\prime }\) with \(l^{\prime }\) valid and t valid for \(l^{\prime }\).
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Chakravarty, M.M.T. et al. (2020). Native Custom Tokens in the Extended UTXO Model. In: Margaria, T., Steffen, B. (eds) Leveraging Applications of Formal Methods, Verification and Validation: Applications. ISoLA 2020. Lecture Notes in Computer Science(), vol 12478. Springer, Cham. https://doi.org/10.1007/978-3-030-61467-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-61467-6_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-61466-9
Online ISBN: 978-3-030-61467-6
eBook Packages: Computer ScienceComputer Science (R0)